How to implement a GRC framework

On a regular basis, we share a guest columnist article from our archives about a topic which is still as relevant today as it was when it was first written. This piece is by financial services journalist, regtech and fintech expert, Ellen Davis, and was first published in Issue 22 of The Risk Universe, in October 2013.

In our latest From the Archives piece, Ellen Davis provides a step-by-step guide on building a sound Governance, Risk and Compliance framework for your firm .

Much ink and breath is spent on defining just what a governance, risk and compliance (GRC) framework is, and the best practices around implementing one. As in the parable of the blindfolded people each describing an elephant only by the parts that they can feel with their hands – the trunk, the tail, a leg – often understanding of just what a GRC framework should be is limited by the perspective of the individual attempting to describe it. Within organisations, the implementation of a GRC framework can be limited by the “art of the possible” – what an organisation is able to achieve given time, cost and resource constraints. It can also be limited by a lack of senior management support, a failure to achieve business line buy-in, or turf wars over ownership of details such as taxonomies, workflows, and processes.

The end result can be cultural apathy towards the GRC project. While organisations see GRC as a kind of Holy Grail, the reality is that many struggle to implement. Most people would agree that a failure to approach internal audit, governance, risk and compliance in an intelligent, cohesive way has led to headlines, fines, and organisational failures. “Not doing” GRC is really not an option. So – how should an organisation go about conceptualising and implementing a GRC framework?

Its first step should perhaps be to rename it. GRC was originally conceived as a way to put audit, governance, risk and compliance on equal footing as teams within an organisation – and this is as it should be. Each of these areas performs a vital function within a three-lines-of defence model. But the reality is that this is a perspective limited by the same kind of perception challenges evident in the elephant parable. While audit, governance, risk and compliance are essential functions, the pachyderm in the room has always been “enterprise risk management”.

Enterprise risk management, done properly, is not something that the risk team does once a year to produce a 50-page report. It is a continuous, ongoing activity that governance, risk, audit, and compliance all engage in, to help drive strategic decision-making, improvements in operational excellence, and reduction of costs associated with losses, errors, and mismanagement.


An ERM framework should be grounded in the organisation’s risk appetite – a set of risk-and-return goals that is agreed by everyone, from the board of directors all the way down to individuals in the business units. The risk appetite becomes the central governance hub for the organisation – a

core, actionable philosophy that, once transformed into a risk culture, should align all employees and create a vocabulary through which everyone can converse.


The volume and velocity of regulatory change today puts compliance risk front-and-centre for most organisations, but particularly those in highly-regulated industries. Reducing or eliminating compliance risk requires organisations to confront their primary source of such risk – the management of regulatory change.


The risk teams of organisations must reach beyond annual exercises and thick reports. It is its job to help the business understand the risks it faces, how those risks relate to its share of the organisation’s risk appetite, and to help align the two. This should be an active, organic activity.


This essential function must resurrect itself from the avalanche it was buried under by Sarbanes-Oxley and related internal controls legislation. Internal audit should play a key role in organisations – it must audit the governance, compliance and risk functions. It must also use its role as the so-called “third line of defence” to work in partnership with the risk function to identify emerging risks.

Overall, the governance, compliance, risk and audit functions need to work more closely with the business – the front line – to improve the recognition, understanding and management of enterprise risk. If one accurate accusation can be levelled at GRC efforts sometimes it is that too much of the focus has been on the inward-looking efforts to align governance, audit, risk and compliance. The reality is that these should align naturally as organisations seek to speak about enterprise risk management with one voice.


There is little doubt that the concept of the unified enterprise risk appetite vision is one of the most profound pieces of work to come out of the financial crisis. Regulators, industry, and shareholders have rallied around this idea. But agreeing that an enterprise risk appetite is a good thing is relatively easy – implementing a good enterprise risk appetite framework as the cornerstone of an enterprise risk management programme is much harder to do.

Organisations must have a frank internal dialogue that identifies their enterprise risk capacities – the risk capacity should be the maximum amount of risk an organisation can bear given the resources it has, and its obligations to stakeholders. It is the outer limit, a maximum that should ideally never be reached. Within that boundary, the organisation should then understand the amount and sorts of risks that it is able and willing to take given the strategic goals set by the board and senior management – its enterprise risk appetite.

Once an enterprise risk appetite is arrived at, with appropriate limits and tolerances built in, it must be transmitted to the organisation through the enterprise risk culture. The enterprise risk culture – the cornerstone of how enterprise risk management is successfully achieved – can only be successful if it is actively supported by compliance, audit and risk.

But even more importantly, the business itself must own the enterprise risk appetite, and the idea that the change it can create will be productive and healthy. Ideally, the business helps shape the risk appetite and provides active feedback on its appropriateness as well as the business’s ability to stay within its confines. Front line people must understand the importance of risk and what it means to take risk-based decisions.


If Governance is about setting the enterprise risk appetite and animating it through the implementation of an enterprise risk culture, then Risk is focused on the hard reality of measuring and managing enterprise risk in alignment with the business. A good risk team should partner with the business – success has really been achieved when the business actively seeks the analysis and insight of the risk department before taking important decisions. It is tempting to say that, within an enterprise risk framework, “risk” is more equal than its GRC partners. But this is not the case – risk has a role to play and it cannot play it without working as an equal with governance, audit and  compliance.

Given the need for this partnership, the risk team must ensure that its focus goes

far beyond what is mandated by regulation. It should take the risk appetite framework and turn it into the kind of feedback loop that the board of directors, senior management, and business line partners naturally turn to for decision-making. It should also actively measure the state of the organisation’s risk culture.

More than that, one of the areas in which risk management is adding the most value in some organisations is as a core pillar of the change process. Today’s enterprises are constantly evolving to meet a range of pressures head-on, including economic, social, political, and environmental change.

It is the role of the risk team to work with the compliance, audit and governance teams to scan the horizon for potential new risks and help the organisation either avoid the risks or change to be able to manage them appropriately. By embracing change, organisations often find they better align their resources, and reduce costs due to errors, mismanagement, and other problems in a proactive way.


Of all of the components of a GRC or Enterprise Risk Management framework, it is compliance that is undergoing the most radical change at the moment. Once, compliance was a reactionary, tactical

assurance function that responded to individual regulatory mandates through focused projects and targeted alternations to processes.

Today, compliance is all about change management. The volume and velocity of regulatory change in many industries is now such that the isolated, project-focused

change motions of the past are unable to reach completion in the time required. For these Industries, regulatory change management must become business as usual in order to ensure that an organisation can reduce or eliminate the compliance risk associated with it. Other, less impacted

industries, are looking to these new regulatory change management concepts as best practice.

Best practice organisations are therefore taking their compliance teams and turning them into regulatory change management machines. Dusty legal texts are becoming “big data”, and the word “risk” is appearing in the lexicon of compliance officers more and more. Organisations are beginning to hire beyond the traditional legal skill set, and seek out individuals who have change management skill sets in their tool box. And they are starting to create processes that turn compliance into a repeatable, sustainable activity.

Lastly, best practice organisations are ensuring that compliance is completely connected, through an enterprise risk lens and vocabulary, to the rest of the organisation. Analytical techniques from risk management are starting to cross over – such as the modelling of legal losses. Compliance officers talk of the “compliance culture” of their organisation, which must be connected into the risk appetite and risk culture to be successful. And compliance is even beginning to borrow techniques to measure the quality of their change processes from audit.


The internal audit function is also beginning to alter its focus, as it seeks to align with an enterprise risk management outlook. Internal auditors wish to move beyond the scope of Sarbanes-Oxley and similar controls-focused rules. These effectively turned internal audit into old-fashioned “compliance” functions, and away from a proactive approach to understanding and supporting the business. Today’s best practice audit organisations are examining:

  • Frequency and types of communication from Internal Audit to the Audit Committee, Executive Management, Senior Management and other personnel
  • Internal Audit’s role in performing both assurance and advisory services to the organisation
  • Increasing the transparency and awareness of Internal Audit’s role in the organisation, through targeted initiatives
  • Conducting further assessments of the business orchestrated by Internal Audit and shared with the broader management team
  • Internal Audit’s access to records and previous situations when access was not provided
  • Internal Audit’s awareness of the strategic plan and organisational objectives
  • Availability for Internal Audit to educate the Audit Committee and/or other boards on various Financial, Operational, Compliance and Strategic matters

While the shift towards risk-based auditing has been happening for some time, there is now also a renewed passion for working with the business to identify “emerging risks” through the audit process, and aligning those risks with the risks identified by the risk and compliance teams.

And like compliance, audit is beginning to get a new appreciation for “big data”. Internal audit is finding significant value in the information now collected by the governance, risk and compliance teams. As well, internal audit is reaching out into the business and beyond to harvest its own data

sets to help it analyse and shape a more strategic dialogue with key stakeholders.

In conclusion, governance, risk, audit and compliance are moving beyond the simple GRC framework in many best practice organisations and into more of an enterprise risk management structure where key elements are driving evolved thinking, including:

  • A new focus on enterprise risk as a lens through which alignment of traditional GRC can now be structured;
  • The realisation that change management has to be a core competency of any good ERM programme
  • An embracing of the power of data across the ERM disciplines
  • A drive to work more closely with the business, to add value to the business through strategic thought and operational insight
  • A need to use the ERM framework to not just manage today’s risks but to try and foresee future, emerging risks using a variety of disciplines.

For more risk-related content, white papers and news, sign up to our free newsletter via the bottom of the homepage.

Latest reports from RiskBusiness: 

Business Email Compromise: how to protect your firm against BEC attacks

ESG regulation: What you need to know

Key business concerns for 2021 and beyond

Banking data and Brexit: last-minute priorities for financial institutions